Why CISPA Shows We Need Strong EU Data Protection

It seems hard to believe that it was only a little over a year ago that the threat from the US SOPA (Stop Online Piracy Act) was averted (and that ACTA was still with us in the EU). But of course the war is never won: new threats to freedom and...

Glyn Moody
April 19, 2013

Share

Twitter

Facebook

LinkedIn

It seems hard to believe that it was only a little over a year ago that the threat from the US SOPA (Stop Online Piracy Act) was averted (and that ACTA was still with us in the EU). But of course the war is never won: new threats to freedom and openness on the Internet just keep on coming.

Here in the UK we have the idiotic Snooper's Charter, which will not only destroy civil liberties, but actually make everyone in this countries less safe because of the enticing stores of intimate information to be found dotted around the Net. And in the US, the latest threat is CISPA: "Cyber Intelligence Sharing and Protection Act."

That name alone should tell you all you need to know: this is an attempt to use cyber-FUD to justify the most outrageous government powers that would never be contemplated in ordinary life; and yet, thanks to the invocation of the magic "cyber" prefix, everything becomes possible – and permissible.

Information provided to the federal government under CISPA would be exempt from the Freedom of Information Act (FOIA) and other state laws that could otherwise require disclosure (unless some law other than CISPA already requires its provision to the government).

CISPA's authors argue that the bill contains limitations on how the federal government can use and disclose information by permitting lawsuits against the government. But if a company sends information about a user that is not cyberthreat information, the government agency does not notify the user, only the company.

Basically, the Act would allow private companies to share the personal information of their customers with any US government agency with complete impunity – specifically, they could not be sued by members of the public for doing so, and therefore would have no incentive not to. That sharing includes, of course, all the spying agencies. Essentially, by putting "cyber" in front, the US government gets to ride roughshod over most of the privacy protections built into current US law.

Of course, the main companies affected by this are Internet companies, which means that Google, Facebook et al. would be encouraged to share any and all information about users with the US government. One organisation that has come out against CISPA is Mozilla:

While we wholeheartedly support a more secure Internet, CISPA has a broad and alarming reach that goes far beyond Internet security. The bill infringes on our privacy, includes vague definitions of cybersecurity, and grants immunities to companies and government that are too broad around information misuse.

That's welcome, but hardly unexpected given Mozilla's roots and aims. More surprising, is Microsoft's statement that:

any law must allow "us to honor the privacy and security promises we make to our customers."

That's something that the current CISPA most assuredly does not do.

The bill passed in the US House of Representatives yesterday, and now moves to the US Senate. President Obama has made a vague threat to veto it in its current form, but that probably just means he wants some tinkering before approving it. Writing in the Guardian, Dan Gillmor points out:

Last year, when the same legislation came up, a Senate filibuster killed it. We cannot count on being so fortunate again. And please don't assume that President Obama will follow through on Tuesday's warning that he might veto the bill (pdf) if passed in its current form. This is a president, after all, who has made so many civil liberties vows that he later broke.

With this week's Boston bombs and ricin scares, Congress is surely in its standard "do something to show we're tough on security" mode. Cispa will have an easier time passing than it should as a result.

The message here is clear: some kind of Act allowing US companies to hand over private information about their users to the US government is almost inevitable. The only question is quite how bad it will be.

This has a hugely important consequence here in Europe. It means that it is vital for the European Parliament to insist that the Regulation on Data Protection currently being debated there must be as strong as possible. In particularly, it must not allow US companies to pass on private information to the US government under CISPA-like laws.

Of course, the US companies will say that it is impossible for them to refuse, but that just means we need a completely new approach for US companies working in Europe that allows EU data to be kept in the EU, without any possibility of it being sent outside. If we don't, we are effectively agreeing to let the US spy on hundreds of millions of EU citizens as a matter of course, with no oversight, no control over the consequences, and no redress when people and companies suffer wrong as a result.